Representing Knowledge about Cyber-Physical Systems and IoT

Dr. Edward Griffor, Smart Connected Systems

KR2021 – 3 November 2021

Cyber-Physical Systems | NIST

• CPS and IoT
• Systems Engineering Process
• NIST Framework for Cyber-Physical Systems
• Engineering and Assuring CPS
• Functional Decomposition of CPS
• CPS Framework Concerns
• Logic of CPS Assurance
• Cyber-Physical Interactions
• Reasoning about CPS

​

​

• Use Case: Reasoning about Automated Driving System Safety

Agenda

2

Cyber-Physical Systems | NIST

Cyber-Physical Systems | NIST

CPS and Internet of Things

3

Cyber-Physical Systems comprise interacting digital, analog, physical, and human components engineered for function through integrated logic and physics.

Internet of Things (IoT) comprise interacting digital, analog, physical, and human components for widely connected, interacting, physical ‘things’.

NIST Cyber-Physical Systems Program

Cyber-Physical Systems | NIST

Systems Engineering Process

• State the functional objectives
• Allocate functions to sub-systems and components
• Build components
• Test components (unit testing)
• Assemble and test sub-systems
• Assemble and test full system

4

Cyber-Physical Systems | NIST

NIST Framework for CPS

Domains

• Domain-specific perspectives

Aspects and Concerns

• Identify relevant concerns
• Develop requirements to address them
• Determine dependencies between relevant concerns (efforts for A impact B positively/negatively)

Facets: Modes of Thinking

• Conceptualization, Realization and Assurance
• Develop design, build and test
• Build an assurance case for each relevant concern

5

500+ Government, Industry and University

Stakeholders over a 3-Year Period

Cyber-Physical Systems | NIST

Engineering and Assuring CPS

1. How we conceive CPS
2. How we design, build and assure CPS (throughout the lifecycle)
3. What concerns do we have about CPS/IoT
4. What disciplines we need to address them
5. How we assure CPS trustworthiness

Develop a conceptual framework and the methodologies needed to conceive, realize and assure trustworthy CPS.

Cyber-Physical Systems | NIST

Functional Decomposition of CPS

Cyber-Physical Systems | NIST

8

Concern 2

Concern 1

Trustworthiness

Safety

Reliability

Security

Resilience

Privacy

Cyber Security

Physical Security

Confidentiality

Integrity

Availability

Predictability

Manageability

Dissociability

Controls

Transparency

Innovation

Concern 1

Concern 2

Authorization

Encryption

SME Taxonomies

Functional Safety

Concern1

Concern2

Severity

Frequency

Controllability

Hazard

Apply Aspects/Concerns

CPS Framework Concerns

Cyber-Physical Systems | NIST

Logic of CPS Assurance

CPS Framework provides:

1. Methodologies specific to:
1. Aspects and concerns
2. Engineering activities and outputs
3. Assurance Cases of Concerns
2. Composition of concerns:
1. Requirements constrain parameters
2. Artifacts of design, build, test
3. Represented in portable, reusable format
1. Opensource Data Model: CPS Descriptor (XML)

9

Cyber-Physical Systems | NIST

Cyber-Physical Interactions

Cyber-Physical Systems | NIST

Reasoning about CPS

CPS Framework

• Represents knowledge about CPS and IoT
• Articulates concern-driven requirements critical to our building and composing CPS

CPS Reasoning’s goal

• Add support for:
• Capturing domain knowledge (e.g., Energy Grids and Automated Vehicles)
• Formal reasoning for calculating the dependencies/tradeoffs between concerns
• Enables assessments of:
• Models, cyber-physical attacks, risk mitigations and more
• Interactions between the logical and the physical

Approach

• Combination of cyber-physical systems knowledge representation and automated reasoning

Cyber-Physical Systems | NIST

Use Case: Reasoning about Automated Driving System Safety

Cyber-Physical Systems | NIST

Safety Challenge/Context

Relevance of on-road performance data

Relate on-road performance data to assessing ADS safety – operating conditions must be quantified reproducibly and consistently with the intended operational domain

Developer/Regulator/Assessor confidence in Testing Protocol

Once the operating conditions are precisely understood, the assessment protocol must provide sufficient confidence in vehicle behavioral competencies

Test coverage of dynamic operating state space

Some operating conditions are static, others are dynamic. Must choose test environments to challenge vehicle sufficiently and have precise descriptions

13

Cyber-Physical Systems | NIST

Cyber-Physical Systems | NIST

Workshops and TWG

25-26 June 2019 Consensus Safety Measurement Methodologies for ADS-Equipped Vehicles

Established need for consensus methodologies for ADS safety measurement; Included USDOT/NHTSA, Intel, Intel Mobileye, Lyft, Ricardo, SAE International, and Virginia Tech Transportation Institute, Ford, Volvo, Daimler

7-8 July 2020 ADS Safety and Operational Design Domain

Explored methods for analyzing ODD to support reasoning about ADS Safety; included contributions from Rand, Intel, University of Warwick and British Standards Institution, etc.; coordinated with SAE, IEEE and AVSC

ADS Safety Measurement Technical Working Group�March 2020 - Present

Set agenda for 7-8 July Workshop; developed ADS Logic, Architecture and OES (reference, nominal, and actual); prepared draft NIST 1900 Special Publication A Methodology for Automated Driving System Safety Measurement

14

Cyber-Physical Systems | NIST

Cyber-Physical Systems | NIST

ODD and OES

ODD

An Operational Design Domain (ODD) is a description of the operating conditions under which a given driving automation system or feature thereof is specifically designed to function, including, but not limited to, environmental, geographical, and time-of-day restrictions, and/or the requisite presence or absence of certain traffic or roadway characteristics.

OES

An Operating Envelope Specification (OES) is a structured description of the operating environment for driving, suitable to support formal reasoning about that environment in testing and certification applications and in real-time driving conditions. An instance of an OES comprises the dimensions of the operational state space (whether chosen by the manufacturer, developed from a relevant scenario set, or defined de novo) sufficient to enable reasoning about the state space.

15

Design State Space

• Conditions under which system is designed to function
• E.g., roadway types, congestion, weather conditions, etc.
• Competitive

Operating State Space

• Description of operating�conditions suitable for,�reasoning about system�behaviors
• Measures of all operating�conditions
• Non-competitive

Cyber-Physical Systems | NIST

Cyber-Physical Systems | NIST

OES

Operating Envelope Specification (OES)

Description of ADS operating conditions sufficient for reasoning/calculations to support onboard controls, testing, certification or de novo assessment; OES_Ref reference framework

OES Role in ADS Operation

OES_Nom, and OES_Act provide and maintain info about current operating conditions, available for control decisions

OES Role in Test and Safety Assessment

OES provides quantitative information to expose ADS to relevant operating conditions and ensure test of ADS, comparison of ADS behaviors is meaningful

OES Role in Transportation System Design

Traffic system designers, state or locality, can use OES info to plan traffic system or ADS purchasing decisions

16

Cyber-Physical Systems | NIST

Cyber-Physical Systems | NIST

OES Data

OES Reference (OES_Ref)

A compendium of operating conditions. Content may include, for example, guidance on inventory of roadway characteristics, geometry, angles, controls, design speeds/sight distances, markings, etc.

​

OES Nominal (OES_Nom)

Nominal operating conditions, including the associated parameters and their nominal values. Content may include roadway characteristics, such as roadway components and their physical dimensions and transit paths, for example.

17

OES Actual (OES_Act)

OES Actual (OESAct): Actual, real-time information specifying changes to OESNom. Content may include notifications of changes in nominal operating conditions, values for the associated parameters that have changed and the projected duration of the change, for example.

Cyber-Physical Systems | NIST

Cyber-Physical Systems | NIST

ADS Logic & Architecture

ADS Logic

NIST ADS Logic Chart includes best practices in autonomous systems, awareness of operating conditions thru OES, and produces a continuous flow of path plans that are subjected to system status and object and event detection checks.

ADS Architecture

NIST notional ADS topology and function allocation that includes intelligent components, based on ADS logic, and has been implemented in an ADS co-simulation testbed at NIST.

18

Cyber-Physical Systems | NIST

Cyber-Physical Systems | NIST

Future Work

Implementing OES

OES information, static and dynamic, is vast; need to explore technologies to make OES information available to the vehicle and for safety assessment.

Data gathering and analytics, incl AI

Monitoring data logs gathered, merged and interpreted in terms of a model.

Enhance OES with dynamic operating conditions

Acquire statistics on dynamic operating conditions, e.g., weather and traffic congestion, and merge static map data with dynamic data to develop reliable test strategy for ADS.

Standardization

Analyze and standardize OES reference info, OES_Ref , from which OES_Nom and OES_Act are derived by populating nominal and actual measurement values.

19

Test Coverage

Define equivalence classes of driving scenarios, addressed by a AV competencies, that cover the OES of an AV

Cyber-Physical Systems | NIST

Cyber-Physical Systems | NIST

Questions?

20

Cyber-Physical Systems | NIST

Cyber-Physical Systems | NIST